New Phishing Technique Outfoxes Site Owners: Operation Huyao

We’ve found a new phishing technique targeting online shopping sites that may significantly change the threat landscape for phishing sites. Conventional phishing sites require an attacker to replicate the targeted site; a more accurate copy is more likely to fool intended victims.

This technique we found allows for the creation of nearly perfect copies – because the attacker no longer needs to create a copy of the site at all. Instead, the phishing page only contains a proxy program, which acts as a relay to the legitimate site. Only when any information theft needs to be carried out are any pages modified. The owners of the legitimate site would find it very difficult to detect these attacks against their customers.

We decided to call this particular attack Operation Huyao. In Chinese, huyao means a monstrous fox. The rather sneaky behavior of this attack, together with the fact that we believe the creators of this attack are located in China, made this name feel rather appropriate.

Conventional phishing attacks and Huyao attacks

To carry out a conventional phishing attack, an attacker need to capture, copy, and modify the code for the target organization’s website and host it on their own site. This could be hosted either on a malicious site, or a compromised site (particularly a subdirectory or subdomain).

Many legitimate shopping sites use subdirectories to divide their store into various sections. Something like this, for example, would be perfectly reasonable:

http://{legitimate site}/clothes/

http://{legitimate site}/food/

http://{legitimate site}/music/

With a conventional attack, it’s likely that three phishing sites would need to be prepared. In Operation Huyao, a single malicious domain was used to target multiple stores, like so:

http://{malicious domain}/clothes/tslyphperaHR0cDov{BLOCKED}.html

The URL contains an identifier which flags the URL as being used by these relay attacks – tslyphper. The rest of the HTML file’s name identifies the site that is the target of the attack, like so:

The URL of the targeted site is stored in the phishing URL and can be found after BASE64 decoding.

How the attack proceeds

Conceptually, the attack overall is simple. The attacker’s malicious site acts as a relay/proxy for the original site. So long as the would-be-victim is just browsing around the site, they see the same content as they would on the original site. It is only when any payment information is entered that modified pages are displayed to the user.

It does not matter what device (PC/laptop/smartphone/tablet) or browser is used, as the attacker proxies all parts of the victim’s HTTP request and all parts of the legitimate server’s response.

The overall flow of this attack is shown in the diagram below:

Figure 1. Overall attack flow

To get the user to the malicious site, various blackhat SEO techniques have been used to insert the malicious sites in question to various product-related searches, as seen in the screenshot below. (The targeted shopping site was in Japanese, which is why the sites are in Japanese as well.)

Figure 2. Search results with malicious links

The changes begin when the user is about to buy a product. The Add to Basket function has been written by the attacker in order to perform their attacks.

Figures 3 and 4. Price on actual site versus price on phishing site

Note the difference between the two pages – the price has been significantly reduced. This may have been done in order to lure in would-be savers. Clicking on the “Add to Basket” button on the legitimate site takes the user via HTTPS to the actual shopping basket. On the phishing site, the user goes to the following page via an unprotected HTTP connection:

The URL above contains both the price (3073 yen) and the name of the item in question. All of the pages beyond this point are created by the attacker to carry out information theft.

As is typical in a checkout process, the user is shown a series of pages where they have to enter their information.

Figure 5. Page asking for personal information

The information asked for in this page is:

Name

Pronounciation

Postal code

Prefecture

City or Country

Address

Phone number

Email address

Password

The format of the above page would be regarded by Japanese users (the target of this attack) as completely normal.

In the next page, the users are asked to enter their payment information:

Figure 6. Page asking for credit card information

Here, the users are asked to enter the following:

Payment method/card issuer

Card number

Card expiration date

Name of cardholder

Security code

One more screen appears, which is designed to defeat card verification services provided by some card networks. These ask for a separate password meant to verify that the actual cardholder is authorizing the account. By acquiring this password, the attackers can get around this verification system.

Oddly, these fake verification pages ask for an ID/user name of some sort, which is not part of the actual verification process. A “personal message” that is specified by the user is not present (as, obviously, the attacker would not have previous access to this).

Figure 7. Page asking for credit card authentication password

Finally, an email message thanking the user for their order is sent to the address provided earlier. The message also contains the items that the user supposedly ordered from the online store:

Figure 8. Email with supposed transaction details

All this leaves the user with the impression that they have carried out a successful transaction, unaware that they have fallen victim of a phishing attack.

Implications

So far, we have only identified this attack targeting one specific online store in Japan. However, if this attack becomes more prominent, it could become a very worrying development: this makes phishing harder to detect by end users, as the phishing sites will be nearly identical to the original sites.

In addition, attackers will no longer have to exert much effort into duplicating entire shopping sites. They will only have to duplicate the payment pages, which is an easier task.

We will continue to monitor and block all phishing attacks that use this or other similar methodologies.

About site

This is experimental project, which search automatically antivirus, security, malware, etc. news and alerts. If you want add/delete source or post, let us know. We will add/delete it. We'd like make place, where you can find security information from various sources with correct backlink back to source.